Cyber Security Training – Don’t Just Check the Box
By Tim Coffey
September 08, 2017
A few years ago I received my cyber security training in the form of an email. It was a company- wide message from our Director of Finance. She urged us to be alert for phishing attacks when opening or taking action on emails. The night before, she had received an email from our CEO, requesting a cash wire transfer. Not the strangest request, but it warranted a closer look. Sure enough, the sender’s address wasn’t our CEO’s, even though the name field was. Whew! That was close.
For our small company, this was an important wake up call. There are malicious grinches out there with just enough information and mean spirit to do some real damage. Prior to this incident (and a few others that followed) it didn’t seem at all necessary to deploy company-wide cyber security training.
Click Through That Compliance Cyber Security Training
If you’ve worked for a company regulated by Sarbanes-Oxley, PCI, or HIPAA, then you’ve probably clicked through your share cyber security compliance training. So many companies filter their employees through this type of training, but is that enough?
IT security is to a company as white blood cells are to the human body – isolating threats and keeping them at bay. When that layer gets compromised, it can turn into a problem in a hurry. Fortunately, keeping things locked down can be as simple as keeping vigilant, and making cyber security part of company culture – just like regularly washing hands or taking a daily multivitamin.
The Human Factor
Have you ever followed someone through an unmanned security checkpoint after they’ve blipped their badge at the door’s proximity sensor? If you have, you realize humans are, indeed, the weakest link in any security configuration. The same is true for cyber security. Non-vigilance can be very costly. How costly? Most sources estimate cyber crime is responsible for hundreds of billions of dollars each year. Juniper Research Ltd. predicts that by 2019, the total loss will be around $2 trillion dollars globally. That’s just north of Italy’s GDP.
Not Just Cash at Stake
Money is generally the motivation for cyber attacks, but there are non-cash losses that can be equally, if not more, costly. According to the 2017 Hiscox Cyber Readiness Report, it can take anywhere from hours to months for a firm to shore up defenses following an attack. Recovery time can represent an enormous cost to a company, as technology experts scramble to stop the bleeding and get back to business as usual.
Your customers trust you, your brand, and your product. A single cyber security breach can compromise it all overnight. The Target payments network breach in December of 2013 cost the company $18.5 Million in settlements to 47 states (not Wyoming, Wisconsin or Alabama, in case you were wondering). And the settlements were eclipsed by the $202 Million in legal fees.
Espionage to Gain an Edge
“What’s my competition up to?” “It sure would be great if I could read the emails of my political opponent.” “I bet if I took this piece of code with me when I quit, I’d be really valuable to a competing firm.” Corporate data is closely-guarded for good reason. For some manufacturers, trade secrets are the only element keeping them in business.
Who Are These People?
Verizon’s 2017 Data Breach Investigations Report indicates that while three quarters of cyber crime is committed by outsiders, “25% involved internal actors.”
The same report found that organized criminal groups are responsible for just over half of cyber crime. A staggering 18% of breaches involves nations infiltrating other nations’s systems.The 2016 United States presidential election is certainly indicative of the new normal that is state-sponsored cyber crime.
How Does This Happen?
Up your password game. Oh, and stop installing stuff you find in pop-up ads. 51% of breaches use something called “malware” as their vehicle.
These are small, programs that, once installed, can grab your data and activity. Not surprisingly, 66% of malware installs via malicious email attachments. And 81% of hacking-related breaches take advantage of stolen and/or weak passwords. So think of that the next time you decide to change your password to “Passw0rd!”
What Are They Looking For?
The majority (73%) of this crime is financially motivated, and about 21% of it is espionage-related. It just so happens the Kremlin’s hacking is of the financial AND espionage variety.
How Can We Protect Ourselves?
Lock systems down like your company’s assets and reputation depend on it (because they do). Invest in opportunities for IT personnel to remain current on keeping systems secure.
You’ll find the lowest-hanging fruit in training. Not the page-turner compliance variety, but real, meaningful, and engaging cyber security training. Start with a heavy dose of “what’s in it for me?” so that learners feel ownership and can get a sense of the huge effect, for good or for bad, that small actions can have.
Put your best instructional designers on this job and pair them with subject matter experts that have the time, knowledge, and attitude to advise on content. Also, continually update this training, as the cyber security landscape is constantly evolving. Open a communication plan to expose employees to cyber crime news stories.
It’s not a bad idea to launch mock attacks before and after training with different sample groups in your organization. Use one of these free mock phishing simulators to test your learners. If your team of instructional designers, subject matter experts, and facilitators has done the job, the numbers of duped employees should drop significantly. This is also a great way to demonstrate the worthiness of precious resource spend.
Lastly, stop thinking of cyber security training as an event or even a series of events. It’s a process of continual improvement with far-reaching ramifications.